Published: 07 Jun 2017
After years of attention to business practices regarding the gathering and exploitation of personal consumer information for marketing purposes, the European Union is taking definitive steps to create new regulations, harmonized across all 27 EU countries. Though the stringent laws won't affect U.S. businesses directly, their indirect impact may be considerable when enacted in May 2018.
The General Data Protection Regulation (GDPR) has been in the works for four years. It follows a 2011 initiative to protect consumer data privacy by restricting web cookies and email privacy. Though not yet in force, the GDPR is beginning to send tremors throughout the business and technical communities as they absorb the implications and begin planning to adapt to the new laws. Looking at GDPR and marketing, it's clear that companies selling goods and services in the EU will have to create compliance strategies that include turning over data they collect on a European resident when requested and data-breach notifications to authorities within 24 hours of their detection.
The GDPR also calls for "unambiguous consent" from consumers before their personal or behavioral data can be used for marketing purposes. Companies that breach consumers' rights will be fined up to 4% of revenue or about 20 million euros.
What is 'consent'?
The internet overall displays a notoriously casual attitude regarding consumer consent as a matter of convenience to marketers who have optimized their operations around the flighty behavior of users. Often, simple failure to opt out when at a webpage is taken as consent; sometimes consent is gathered by check box, but the box is pre-checked. Even failing to turn back during a brief idle period can be considered consent.
None of these tricks may be used anymore under the new law. Check boxes may be used to indicate consent as long as they are not pre-checked, and cookies placed on a user device that do not link to data personally identifying a user will still be considered acceptable. Companies gathering personal data must offer consumers clear and specific information about how their data will be used, and consumers must be offered a clear mechanism for opting out.
Fewer cookie crumbs
Cookies, of course, are an architectural cornerstone of internet activity tracking. Where a user has been, what they're viewing at the moment and where they're headed next is all crucial information in clarifying consumer online travel patterns. Cookie tracking creates behavioral maps that have come to serve as the bedrock of marketing analytics. The GDPR will make all of this information harder to get.
This GDPR and marketing regulation, along with email restrictions and an age limit on parental consent for social media (member states may set the limit between age 13 and 16), "returns control over citizens' personal data to citizens," said German MEP Jan Philipp Albrecht, who led the effort to draft the laws. "Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned."
GDPR and U.S. businesses
In the U.S., of course, it's a very different story: A consumer can browse Amazon, then go to Facebook and suddenly be presented with pop-up ads of books seen only moments earlier. Consent is assumed, at worst, and at best, consent often is buried several screens deep in small print, user-agreement pop-ups.
"[It's different] in the U.S.," said Dennis Dayman of Eloqua, a marketing software provider, at the time of the original 2011 initiative. "In the U.S., you have to opt out. There, you have to opt in."
That raises the question of what will happen to non-European companies doing business in Europe. Dayman believes multinational corporations will be impacted most: "If a company is headquartered in the U.S., the laws do not apply, but if it has subsidiaries in other countries, it could be affected."
That will amount to a serious revision in CRM practices, forcing U.S. companies with subsidiaries abroad to mix and match both analytical methodologies and bodies of data emerging from differing governances. Since the regulations won't take effect in Europe for another year, businesses on both sides of the Atlantic have some time to prepare. But how?
U.S. companies can reframe 'tracking'
The sudden drop-off in real-time data for marketing analytics will impact the quality of outcomes, at least initially, no matter how well-intentioned the laws. U.S. companies, particularly, face a period of uncertainty as the international market adjusts to the distinction between information gathered from people who don't know they're being watched versus those who know they are.
One solution to the GDPR and marketing dilemma is to find new and innovative ways to achieve, quickly and without hesitation, consumer buy-in for participation in the tracking of their buying behaviors. The hurdle here is high, since there's still considerable distrust among users around the notion of being "tracked," that Big Brother is listening and their personal information is being auctioned off to the highest bidder.
The U.S. is in a strong position to be the pacesetter in this endeavor. Businesses that begin experimenting with approaches to achieving this consumer buy-in, framing "tracking" in a positive way and finding mechanisms for drawing in customers as participants in the process stand to influence the evolution of these practices in Europe. Moreover, an open approach to leadership in the initiative may result in consumer good will since those companies would project an attitude of transparency and responsibility.
And the day may come when U.S. consumers, irate over having their private information tossed around so casually, call for domestic laws similar to the GDPR -- in which case, U.S. businesses that have already been proactive could be in the best position to run the table.
Microsoft cloud -- GDPR compliant by 2018
75% of cloud apps non-GDPR compliant
U.S. vendors unaware of looming GDPR regs